A threat actor is selling what they claim to be 30 million T-Mobile customers’ Social Security and driver license numbers on an underground web forum. The collection is a subset of the purported 100 million records contained in stolen databases. The seller’s offer does not mention T-Mobile. The seller told Motherboard and BleepingComputer publications that the source is in fact the T-Mobile servers. Specifically, they claim to have penetrated T-Mobile’s production, staging, and development servers beginning in August 2021, including an Oracle database server that held the customer data.
On 16 August 2021, T-Mobile told news outlets that it is investigating the alleged data breach, which first came to light on an underground forum over the weekend. The company confirmed to Threatpost that it has determined that there has been unauthorized access to “some T-Mobile data,” though it did not answer questions about the scope of the breach. T-Mobile has not yet determined whether personal customer data was involved but said that it was “confident that the entry point used to gain access has been closed,” confirming the threat actor’s claim that the telecom had closed down whatever backdoor they had used. T-Mobile also said that a “deep technical review of the situation” across its systems to identify the nature of any data that was illegally accessed is currently ongoing. “This investigation will take some time but we are working with the highest degree of urgency,” the statement continued. “Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.” The company said that it is working with law enforcement on the incident.
Even if T-Mobile has not yet confirmed that their personal data was involved in the breach, T-Mobile customers would be well-advised to change their security PINs, given the laundry list of details that were purportedly exposed. The seller told BleepingComputer that the records contain:
- Social Security numbers
- Phone numbers
- Names
- Security PINs
- Physical addresses
- Unique IMEI numbers
- IMSI numbers
- Driver license numbers
- Dates of birth
The attacker said T-Mobile’s “entire IMEI history database going back to 2004 was stolen.” IMEI (International Mobile Equipment Identity) is a unique 15-digit code that precisely identifies a mobile device with the SIM card input, and an IMSI (International mobile subscriber identity) is a unique number that identifies every user of a cellular network. Motherboard has seen samples of the data and confirmed that it is accurate information belonging to T-Mobile customers. The records contain “Full customer info” for T-Mobile USA customers, the threat actor told Motherboard in an online chat.
Cybersecurity intelligence firm Cyble told BleepingComputer the threat actor claims they obtained several databases, totaling approximately 106GB of data, including T-Mobile’s customer relationship management (CRM) database. The asking price for the 30m records is six bitcoin, which was worth about $280,000. Which is about one cent per record. The sale price is crazy cheap, one expert told Threatpost. That is quite a bargain for cyber crooks, given that the records are rich in data that can be used to conduct “targeted mobile attacks, social engineering, sophisticated phishing campaigns or financial fraud.”
Swiss security firm ImmuniWeb and a member of the Europol Data Protection Experts Network, told Threatpost that what is even worse is the records reportedly encompass data from 2004 to 2021 and “can cause extreme invasion of privacy or be used for blackmailing of wealthy victims. Given that the offer seems to be new and unique, the records, which allegedly contain such extremely sensitive data as social security numbers and full histories of mobile phone usage, can be exploited to conduct targeted mobile attacks, social engineering, sophisticated phishing campaigns or financial fraud,” ImmuniWeb said via email. It believes it is “pretty likely” that one of T-Mobile’s suppliers could have unwittingly facilitated or caused the data breach, “based on the available technical information. If so, it will be another grim reminder about the importance of Third-Party Risk Management (TPRM) programs and risk-based vendor vetting,” they noted.
Analysts predict T-Mobile could be in for intense legal action if the breach is confirmed. “T-Mobile may face an avalanche of individual and class action lawsuits from the victims, as well as protracted investigations and serious monetary penalties from the states where the victims are based. It would be premature to make conclusions before T-Mobile makes an official statement on the quantity and nature of the stolen data. The potential victims should refrain from panic and contact T-Mobile asking what type of intermediary support and compensation may be provided while the investigation is in progress. Some remediate actions, such as changing your driving license, may be time-consuming and costly, and I’d not precipitate here unless T-Mobile undertakes to cover the costs or confirm that the information was actually stolen.”
If T-Mobile was in fact breached, and if 100 million customers data was in fact involved, it will not be the biggest breach so far this year. It is overshadowed by the LinkedIn breach in June, in which 700 million users’ data was posted for sale on the underground.
Egress told Threatpost that the threat to T-Mobile is high. “The data leaked in this breach is reported as being already accessible to cybercriminals, who could now “weaponized” it to formulate sophisticated phishing attacks targeting the victims,” Chapman said in an email. Egress advised affected customers to be wary of “any unexpected communications they might now receive, whether that’s over email, text messages or phone calls. Follow-up attacks may utilize the information accessed through this data breach to trick people into sharing more personal data that can be used for identity and financial fraud.” Egress added that the incident “highlights the need for organizations such as T-Mobile to put in place the right technology to secure their sensitive data and defend their employees and their company from targeted attacks by cybercriminals. It’s time for organizations to take responsibility and ensure they’re keeping their customers’ data out of the hands of cybercriminals.”
T-Mobile provided the following statement to Threatpost:
“We have been working around the clock to investigate claims being made that T-Mobile data may have been illegally accessed. We take the protection of our customers very seriously and we are conducting an extensive analysis alongside digital forensic experts to understand the validity of these claims, and we are coordinating with law enforcement.
We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved. We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed. This investigation will take some time but we are working with the highest degree of urgency. Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.
We understand that customers will have questions and concerns, and resolving those is critically important to us. Once we have a more complete and verified understanding of what occurred, we will proactively communicate with our customers and other stakeholders.”
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Source: https://threatpost.com/t-mobile-investigates-100m-records/168689/
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
Comments